"Scan file with sophos AV" context menu function vs. sophos central exclusion list
We had a strange behavior of Sophos Endpoint Protection which should be solved by changing the behavior of the "Scan with Sophos AV" option in the context menu of windows.
A user had an infected word file stored on his desktop. When using the context menu function "scan file with Sophos AV" it doesn't find anything wrong or suspicious.
This was weird because according to Virus Total this file contained Malware which was also detected by Sophos endpoint protection.
When checking the exclusion list on Sophos Central we found an exclusion for C:\users*. This seems to prevent the "scan file with Sophos AV" function from doing its job!
As soon as we removed this exclusion Sophos detected the malware and cleaned it up immediately!
In our opinion, it's OK that sophos didn't remove the file because of the exclusion.
But as soon as the user checks the file with this context menu function it has to ignore all exclusions - at least file path exclusions!
Otherwise, the user has no clue of a potential danger and executes the malware!